Malware Analysis Report

2025-01-22 19:40

Sample ID 240601-b58l1aeb95
Target 2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike
SHA256 3c03c8d5dd4d8ee05f058b795c25c706444eac15fb4e2e444580fe3abe3d544a
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c03c8d5dd4d8ee05f058b795c25c706444eac15fb4e2e444580fe3abe3d544a

Threat Level: Known bad

The file 2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Cobaltstrike

Xmrig family

xmrig

XMRig Miner payload

Detects Reflective DLL injection artifacts

Cobaltstrike family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 01:44

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 01:44

Reported

2024-06-01 01:47

Platform

win7-20240221-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SqJjBOA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iDcDcsJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vaVfUXz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GSeZMDS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OkYKAza.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SWzHZpE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PJTVrXP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KXcVSON.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vMQZvbU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HgnpwOc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EQKNDQw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OyNokrd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\haJhwgw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\THpORPe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aHxjHMd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JOywBql.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TEEQvCl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zubfBXq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WKmqmGF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EIYjneA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QFcUbtW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\OkYKAza.exe
PID 2728 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\OkYKAza.exe
PID 2728 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\OkYKAza.exe
PID 2728 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\zubfBXq.exe
PID 2728 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\zubfBXq.exe
PID 2728 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\zubfBXq.exe
PID 2728 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQKNDQw.exe
PID 2728 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQKNDQw.exe
PID 2728 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQKNDQw.exe
PID 2728 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\HgnpwOc.exe
PID 2728 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\HgnpwOc.exe
PID 2728 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\HgnpwOc.exe
PID 2728 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqJjBOA.exe
PID 2728 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqJjBOA.exe
PID 2728 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqJjBOA.exe
PID 2728 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\OyNokrd.exe
PID 2728 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\OyNokrd.exe
PID 2728 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\OyNokrd.exe
PID 2728 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\haJhwgw.exe
PID 2728 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\haJhwgw.exe
PID 2728 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\haJhwgw.exe
PID 2728 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\QFcUbtW.exe
PID 2728 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\QFcUbtW.exe
PID 2728 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\QFcUbtW.exe
PID 2728 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\THpORPe.exe
PID 2728 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\THpORPe.exe
PID 2728 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\THpORPe.exe
PID 2728 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHxjHMd.exe
PID 2728 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHxjHMd.exe
PID 2728 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHxjHMd.exe
PID 2728 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\iDcDcsJ.exe
PID 2728 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\iDcDcsJ.exe
PID 2728 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\iDcDcsJ.exe
PID 2728 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\vaVfUXz.exe
PID 2728 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\vaVfUXz.exe
PID 2728 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\vaVfUXz.exe
PID 2728 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\JOywBql.exe
PID 2728 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\JOywBql.exe
PID 2728 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\JOywBql.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\GSeZMDS.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\GSeZMDS.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\GSeZMDS.exe
PID 2728 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\SWzHZpE.exe
PID 2728 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\SWzHZpE.exe
PID 2728 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\SWzHZpE.exe
PID 2728 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\WKmqmGF.exe
PID 2728 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\WKmqmGF.exe
PID 2728 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\WKmqmGF.exe
PID 2728 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\PJTVrXP.exe
PID 2728 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\PJTVrXP.exe
PID 2728 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\PJTVrXP.exe
PID 2728 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXcVSON.exe
PID 2728 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXcVSON.exe
PID 2728 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXcVSON.exe
PID 2728 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\vMQZvbU.exe
PID 2728 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\vMQZvbU.exe
PID 2728 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\vMQZvbU.exe
PID 2728 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEEQvCl.exe
PID 2728 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEEQvCl.exe
PID 2728 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\TEEQvCl.exe
PID 2728 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\EIYjneA.exe
PID 2728 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\EIYjneA.exe
PID 2728 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\EIYjneA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\OkYKAza.exe

C:\Windows\System\OkYKAza.exe

C:\Windows\System\zubfBXq.exe

C:\Windows\System\zubfBXq.exe

C:\Windows\System\EQKNDQw.exe

C:\Windows\System\EQKNDQw.exe

C:\Windows\System\HgnpwOc.exe

C:\Windows\System\HgnpwOc.exe

C:\Windows\System\SqJjBOA.exe

C:\Windows\System\SqJjBOA.exe

C:\Windows\System\OyNokrd.exe

C:\Windows\System\OyNokrd.exe

C:\Windows\System\haJhwgw.exe

C:\Windows\System\haJhwgw.exe

C:\Windows\System\QFcUbtW.exe

C:\Windows\System\QFcUbtW.exe

C:\Windows\System\THpORPe.exe

C:\Windows\System\THpORPe.exe

C:\Windows\System\aHxjHMd.exe

C:\Windows\System\aHxjHMd.exe

C:\Windows\System\iDcDcsJ.exe

C:\Windows\System\iDcDcsJ.exe

C:\Windows\System\vaVfUXz.exe

C:\Windows\System\vaVfUXz.exe

C:\Windows\System\JOywBql.exe

C:\Windows\System\JOywBql.exe

C:\Windows\System\GSeZMDS.exe

C:\Windows\System\GSeZMDS.exe

C:\Windows\System\SWzHZpE.exe

C:\Windows\System\SWzHZpE.exe

C:\Windows\System\WKmqmGF.exe

C:\Windows\System\WKmqmGF.exe

C:\Windows\System\PJTVrXP.exe

C:\Windows\System\PJTVrXP.exe

C:\Windows\System\KXcVSON.exe

C:\Windows\System\KXcVSON.exe

C:\Windows\System\vMQZvbU.exe

C:\Windows\System\vMQZvbU.exe

C:\Windows\System\TEEQvCl.exe

C:\Windows\System\TEEQvCl.exe

C:\Windows\System\EIYjneA.exe

C:\Windows\System\EIYjneA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2728-0-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2728-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\OkYKAza.exe

MD5 233ff2b1c4422a085e57f30b6d9695d5
SHA1 924ef9829f86ecd54c5fff14c53c8076f3b08e35
SHA256 0a3f7153066d440b68140f0649262f0e17251072ea6e0c43d9cdf5c3f3e33423
SHA512 c8aaaa9fa5d3a2e198795dededaf8b0caaee411496b3db0e1d1ae7140232fcaf3903601b55543c6b05ee499b001c774bc91ee3b170b8f46f14eef4c18f84bcdc

C:\Windows\system\zubfBXq.exe

MD5 b90a3596885910319cf7007586edacab
SHA1 e04ef68c85b127187fafd6047f434dc889e50785
SHA256 2c462ea23c2dc130bb9e4caf6a583ce998f240b3e30103d2403926c6f4dc765b
SHA512 55caacbb93b956c949506438694a7aa8b9f74f31dd3ae0d6ee26f4d032d9ac5960831c888829ae657da51147d814ee37303dc0a5884525bbea1a0d70d5f6c0ab

\Windows\system\EQKNDQw.exe

MD5 62c2064ac519f373e0547b186b899dd4
SHA1 1982a73f64883d43c931713e45f4d3d1c0c5e285
SHA256 79a840c19e4c479b696a4b16689b0c9fb7f3cc27241bcbdd3582d5788aade733
SHA512 26c2b5f32db85fc262a743aa5ac18bee7fc93eb642a6bb851186c17e4ba5b2f68a8ce79b847a0db5a42167d8c682fd2544d97f8144a437b7b86e259d6a814f6b

C:\Windows\system\SqJjBOA.exe

MD5 0b76febe5636765c9971faef0b4b0f03
SHA1 ee8645a3526551a8735d8fb12cabc66fcc82ccef
SHA256 0bd1ac679b12455f26f95325dc81f5162849515bcd51ed142d4559abe550ae31
SHA512 ba66556a34f019f191d0ef2dbd9b51c543c7a5ccea76d9ea196232fe0ff543d08588ff25780e8bb497c8a2588b1c244cca84f4138719d82ba6925cc2503fd175

C:\Windows\system\OyNokrd.exe

MD5 73be8c2f26d71e0c7afdc55ee48b5f78
SHA1 fee282b73af9e4ba249cc9f426672e5518ed87d7
SHA256 a05feb84061a07a58b7bb2b21708c969ff95afcec0ebba62c098312f70c5e60d
SHA512 92fc61d012c9cd45b025bf33201fa7b204f05f153f249fd25613d7eecaaf810f41c16448be9da3f84eb364b2fe4af336c1d9575a819b926589d108737c55fe3f

\Windows\system\SqJjBOA.exe

MD5 ae299a912f06dcbeb580698322674f8a
SHA1 a18fc229671d0b83eabfcbca60d78c856493a908
SHA256 b8a80128665bc391dc03eaa699ae53a7129846701e7ecad3ddb3a630c2a8791e
SHA512 6b5a732c41fb06c2aa5494a972b131f887b02704e0e8c5c43627475d65191699d0bb0e9aeaf7dedaa2ac303920b25e7a048dd21c5239a3411681fb60d41eae2c

C:\Windows\system\QFcUbtW.exe

MD5 38b9e8530c0bbd55b6a9bdaac3ba36a1
SHA1 d1c887766eae8d5b5092a28391306dc1ac5057a2
SHA256 a81eee667943818621bb822afd7065cd26b0d0a183f02725bca778e9d4764744
SHA512 e1ba304c51bab9bf8db7f8d1d16d0136afdd0c35533cf4fc5abfc53b63071a0a5626a2f6eed64b0a37dd9e232497170a3742c3c1ac1f398b4c0b168c2c1eec93

C:\Windows\system\THpORPe.exe

MD5 79e79b218fc4a09c72afdc15f5394da6
SHA1 9478cdebd8a8f6f724000c41cc87a1bb45e7ffa5
SHA256 0b94d3b73425c4bfe34a33adb04c04210bb9861c378ac38a0e45cf09d0154ad0
SHA512 774c49984f43957ef23049cd77ce3eefea0f7819080fa75c065ebfcc1433accdd97ce25d6b06b4971df8c60bf60edcce4ddaa1ef2c7b0095f3968ada8215e74a

C:\Windows\system\aHxjHMd.exe

MD5 844c0fa46ea0cfb4022abfdf14079b21
SHA1 edbb342a9a3a993eaccc32e9f9e700e85c046bc4
SHA256 fa63aa41de07488fb73856b8c9f1f0b1d8f59bc50bd69adc03f1ae12f393ab7e
SHA512 53fc9755c63cef098510008f4d4b8e7e776a8a0325152b61acb813b436bf08335612f4e7c376a3c386a36df98ac80116bbb56adcaba50eef3d5a47565c7e7e4c

C:\Windows\system\vaVfUXz.exe

MD5 8132afdf6ba6f3a0dcaf374f8f5c8884
SHA1 dafd4e7f5d0d2836f1a68f4f8e5b02205776cdbd
SHA256 b8db033a1a3a9a978a888dce1abb0574b7923333782a94122b37bfebf4ce76a5
SHA512 a353faaaf4c0f282cf79f264929d3ccca6a0b1234e85dc95b8ed5072b76c0369553b6c6aa3066d5718fa1b1655873efa356de83bfd3d53ee95cfcb021b334a4a

C:\Windows\system\WKmqmGF.exe

MD5 b840d300f979298ed60312dfa792218c
SHA1 72de6ae64b4ac964354871bd167d27a093a1189f
SHA256 151388c47b8cb8bd68366c1d5edb6dd05ce7373a23a16fd233a70196c69b0a66
SHA512 5d51dbc0aaec75631cd761ec91b5834ed4ddff8dc7201e1cd061bc082911ddc6f1e632529b23f8a5bd16e2c206c70538a37909c9d890128da8e46c49f8124b4c

C:\Windows\system\TEEQvCl.exe

MD5 a95b1f66bd1e287db4c6a5907af86191
SHA1 ff5d14012e53dde623fc7c33ab0d5f4070e5caac
SHA256 3f0a31230a3410f866efebf00ad83cd12c528469e67cda1e82d4d10a3775c9cd
SHA512 cf227259700c8618028e473287cd834813becabd733139a3e37582763954f12605b0a2ceed2f1355627afbc98cb344bf8ee60b2f823c2562d825e9b873e3f188

C:\Windows\system\EIYjneA.exe

MD5 be8445e58b85acfc6b6376328f4d73ed
SHA1 724b658d73025abee6420a27dbb96a01b44dc66e
SHA256 5b0e565e1f7db65aab867182e0d70fa37c20c64ef853c4101dfe055e8ff64a6b
SHA512 939398c43ed78608253a7c58727b06a0a5c4477db764fc6fa9825cd64fed776b1c2e00e37fe04884c4b67a91b290bee64be16caf95035e944ff64fc67b604ef1

C:\Windows\system\vMQZvbU.exe

MD5 819db79300aeda5a7ae7ffc659140e65
SHA1 1d07432c563b4a946c684131fc8ce98c5d9b9637
SHA256 cb6c57db3e97fbe63a20ebf2b67f2d500fd8d27f5ca654289d504232e94f473f
SHA512 73265aa0fdaa5f30f8a548f7a498cd8c5dc71b127d230df29ee0fb63408d89366533fd3fce09b643cfcb88bda3ab3814bc297c2e277e3e9aa955d14c3ed91a92

C:\Windows\system\KXcVSON.exe

MD5 8fb9c53ffbd820480c60399f93d5708e
SHA1 3db588b4fee1aa9e61fd77a0ac9ae95e6c79a3bf
SHA256 68ea5f7c9e89961967b2dc246a44898a6b1f82c57ef8906e2503fb524d1f716c
SHA512 fb68ad990a9895996e812ce7e425efd388c414b6bb8981e67e27baa68895d18911e9ffdcdc46e65195e7da7c857ed566efe4fdf6557a331ebe63d08432e70e2f

C:\Windows\system\PJTVrXP.exe

MD5 7bc4e3216d1cfb4956cc890c42fcfa4b
SHA1 8f18f9681cbddb73aa5953c361302236c4f9099b
SHA256 61bbcbc34f6e1331cd03266b3f373cdaba9bfc4f436902264c4fbc989370a6c9
SHA512 593e2dc41a710ae401b040ea8732c8a34c1a83f68533ced5e905fd8a6602687eeb6fc174e3445da348a1f98a93bee722fdb0a8847111b04317b07411792b7c20

C:\Windows\system\SWzHZpE.exe

MD5 9191b21a57ee67835878f7135bf158bc
SHA1 0d5b9f39f284fab6607278e8865b8bdffa4c0a94
SHA256 ed766b6ccec797b0e1dbce8cdc6c85d3be6a19935e8f9eb0584d6c664ca89c05
SHA512 79c929d0e501351248ae84b73232a7b736294d042ea40a1e513d9750b0678c792ce0e39dd2cd0b50ee45d05fed194b8cd1cfb7c2909cc9667dc19aaaa533c465

C:\Windows\system\GSeZMDS.exe

MD5 18027a34e1cca8dd8fea62ace5f292b1
SHA1 5244244ba4a86e5765d5dc8507fc7bd9c5f277fa
SHA256 685e47f22e1f8ac89a3864f750ac09df2e26bd3a025bdc61eb4ee994ef9ba0c1
SHA512 7dee6a81c7c89afd2a8fb54dd8766e00ca887513be8329e468c1cc2b8384313718ca841052ec2df7862c1e9e080b7c13ab1a78fece45cd0403877245dba74196

C:\Windows\system\JOywBql.exe

MD5 c3936ef2695de9448215f166b3e5c3c5
SHA1 7345aa17171c41ec04af3fa6b7b0efa4fe51b312
SHA256 6e1cac630a68b0088a1e53a879e55890a971a67c84c51b9ae393e66b00d26673
SHA512 44de4818fff9089bd78332ff09be0c8c9418464ed554949cda4f5ed6967d0bee940b098724a52a6c50d339075235bd97af3db668d645826283fece162d3b3732

memory/2752-66-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2728-65-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2656-64-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/3020-63-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2728-62-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2688-58-0x000000013FF80000-0x00000001402D4000-memory.dmp

C:\Windows\system\iDcDcsJ.exe

MD5 74efd91927b39d7c3a2f1be6872dacb3
SHA1 b6db33cd956cd3261ec25a34e9312225e0be151c
SHA256 c8f0d53f2a6c5e1fb733004bfd4c6070cbc86d951e7c97971956f1e2358a080c
SHA512 64536130798c0c625970a533685131c8b15a48888816847cae47aa9138f2a663ce9f4f6c5aa87ea21d7b504995820dad07f5a69d3a72f4b7ccef75591f494964

C:\Windows\system\haJhwgw.exe

MD5 4d394294b57446dd2062fe620936b5a6
SHA1 17505696e16b940e93ec337e24db1a97884038c4
SHA256 3c72a709221e1ba61273fee9475e5ddeaad0f5b8ac2c0a63c4597602ba102e01
SHA512 1ae2aa5e023b7968d284fd7827988f81af02eaa673a63dcfced53030cc83ea37845af715a4852ecdbd66fc45cb8a75da4fec8f4fe4d0c5f591e3a201c59c9d74

memory/2728-16-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

C:\Windows\system\HgnpwOc.exe

MD5 bc5e5f9ab9bedde86913f9287383e1af
SHA1 e122fb79c082ef8f7fbf43dcdf4651a1a5b907d6
SHA256 b2109f5e7c3bfc0491840cd35e374888b7432d01c9bee459a7fcfa9a91391fad
SHA512 5f8895ea9f4396435863d9f78525373918f483e90f4e0dbaf72fcb521a309630a531c805a8667b6362211b3fe4ad99558ffd4c6b8da05ef578a3e9756f60cb87

memory/2540-19-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2536-116-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2728-117-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2728-115-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2728-121-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2304-124-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2728-126-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2032-128-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2736-127-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2628-125-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2552-129-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2452-122-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2728-123-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2396-120-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2728-119-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2716-118-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2728-130-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2728-131-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2656-132-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2540-134-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2032-133-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2688-135-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2552-137-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/3020-136-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2452-139-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2752-140-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2716-138-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2628-141-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2304-144-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2536-146-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2736-145-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2396-143-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2656-142-0x000000013FD10000-0x0000000140064000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 01:44

Reported

2024-06-01 01:47

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UwUdlBL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oUOnFiU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nbNDogY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xKmvrWa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bvndusq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AwEBgDH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BbzUVFV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PcYteHi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wOHyIYL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MYeVjDY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OzNXdlD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aZXQUHB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KdpiYGC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aTQrcNK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PoDKeZH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yADZsVp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GJgAZUi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\baosKaz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VfmTyJR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PbUuXKP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\phUQgvv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\UwUdlBL.exe
PID 4992 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\UwUdlBL.exe
PID 4992 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\oUOnFiU.exe
PID 4992 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\oUOnFiU.exe
PID 4992 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzNXdlD.exe
PID 4992 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\OzNXdlD.exe
PID 4992 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\PoDKeZH.exe
PID 4992 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\PoDKeZH.exe
PID 4992 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\yADZsVp.exe
PID 4992 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\yADZsVp.exe
PID 4992 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\aZXQUHB.exe
PID 4992 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\aZXQUHB.exe
PID 4992 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwEBgDH.exe
PID 4992 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwEBgDH.exe
PID 4992 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\BbzUVFV.exe
PID 4992 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\BbzUVFV.exe
PID 4992 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\PcYteHi.exe
PID 4992 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\PcYteHi.exe
PID 4992 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJgAZUi.exe
PID 4992 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJgAZUi.exe
PID 4992 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\baosKaz.exe
PID 4992 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\baosKaz.exe
PID 4992 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\nbNDogY.exe
PID 4992 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\nbNDogY.exe
PID 4992 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\VfmTyJR.exe
PID 4992 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\VfmTyJR.exe
PID 4992 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\KdpiYGC.exe
PID 4992 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\KdpiYGC.exe
PID 4992 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbUuXKP.exe
PID 4992 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbUuXKP.exe
PID 4992 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOHyIYL.exe
PID 4992 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOHyIYL.exe
PID 4992 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\xKmvrWa.exe
PID 4992 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\xKmvrWa.exe
PID 4992 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\MYeVjDY.exe
PID 4992 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\MYeVjDY.exe
PID 4992 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTQrcNK.exe
PID 4992 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTQrcNK.exe
PID 4992 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\phUQgvv.exe
PID 4992 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\phUQgvv.exe
PID 4992 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\bvndusq.exe
PID 4992 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe C:\Windows\System\bvndusq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UwUdlBL.exe

C:\Windows\System\UwUdlBL.exe

C:\Windows\System\oUOnFiU.exe

C:\Windows\System\oUOnFiU.exe

C:\Windows\System\OzNXdlD.exe

C:\Windows\System\OzNXdlD.exe

C:\Windows\System\PoDKeZH.exe

C:\Windows\System\PoDKeZH.exe

C:\Windows\System\yADZsVp.exe

C:\Windows\System\yADZsVp.exe

C:\Windows\System\aZXQUHB.exe

C:\Windows\System\aZXQUHB.exe

C:\Windows\System\AwEBgDH.exe

C:\Windows\System\AwEBgDH.exe

C:\Windows\System\BbzUVFV.exe

C:\Windows\System\BbzUVFV.exe

C:\Windows\System\PcYteHi.exe

C:\Windows\System\PcYteHi.exe

C:\Windows\System\GJgAZUi.exe

C:\Windows\System\GJgAZUi.exe

C:\Windows\System\baosKaz.exe

C:\Windows\System\baosKaz.exe

C:\Windows\System\nbNDogY.exe

C:\Windows\System\nbNDogY.exe

C:\Windows\System\VfmTyJR.exe

C:\Windows\System\VfmTyJR.exe

C:\Windows\System\KdpiYGC.exe

C:\Windows\System\KdpiYGC.exe

C:\Windows\System\PbUuXKP.exe

C:\Windows\System\PbUuXKP.exe

C:\Windows\System\wOHyIYL.exe

C:\Windows\System\wOHyIYL.exe

C:\Windows\System\xKmvrWa.exe

C:\Windows\System\xKmvrWa.exe

C:\Windows\System\MYeVjDY.exe

C:\Windows\System\MYeVjDY.exe

C:\Windows\System\aTQrcNK.exe

C:\Windows\System\aTQrcNK.exe

C:\Windows\System\phUQgvv.exe

C:\Windows\System\phUQgvv.exe

C:\Windows\System\bvndusq.exe

C:\Windows\System\bvndusq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/4992-0-0x00007FF704450000-0x00007FF7047A4000-memory.dmp

memory/4992-1-0x00000265E90D0000-0x00000265E90E0000-memory.dmp

C:\Windows\System\UwUdlBL.exe

MD5 b047e197ce7245bd1857fdcf658d492b
SHA1 4104b00a77a8981cc7252d5249c79aad45250e41
SHA256 e767f1f3b9ee36157497cc6eafca28ff1cbbc85d3fe7d0e5912c049b7d2e17b4
SHA512 db128f844ce2b8f80e23ab73081867529c3f849be657f33e24bb26e16628221e23df03c4acb3872588c27d3bd079449c2d6ddc40f3a166ce143ffe95f3d8ec70

memory/5044-6-0x00007FF7F87E0000-0x00007FF7F8B34000-memory.dmp

C:\Windows\System\OzNXdlD.exe

MD5 42de3d3330cc0b12bfb43701727d1669
SHA1 a2fef3de61e9271178c5ea21b0c552a4ab8759e1
SHA256 ba951c90dd9ef7ea9594fadcc2c15f59ccd2e550f89cd33665aeb9dd8c711a13
SHA512 31373b4868b94ad7538dcbb01434985691464b96e713d8443d108c355a6a5b405715ceba05c1ac9b32ef47055b869e93b3e1476b20ab8cea281f8a7b9c9f0158

memory/2872-19-0x00007FF6FD8C0000-0x00007FF6FDC14000-memory.dmp

C:\Windows\System\PoDKeZH.exe

MD5 d067f7b588b287bbc8810e593d014edf
SHA1 b559af0ed7b656bbb6e0246a561e16ecd324a4d9
SHA256 cf19f198763c6ecac92879185e692bdda1a6d8154da40939e50cdb4f0ab03054
SHA512 e81f6f74fd230f3bae7794692ab7806a51aa738207a4c23870576dce397e7f189b48f344dc2b677b165ae47ac4bd2ae4b3e8fd3430a8cda94b5b8fc20e59f2a9

C:\Windows\System\yADZsVp.exe

MD5 1ed0a5bedebd4d28d710b13883f5242c
SHA1 52aa7dc3649838b88eaa7f78b320ab03e537ecdb
SHA256 8d33432f71e307971a77616ee611d494064d9c2a66f14eb9e81f8ce713614783
SHA512 e359a2e2a9ae9609b6a6314cbd76d7ad39e9a36c56acc08c2395cd18d38cd67bcbb1c9b57247334281ec444c42337105a24381ca10d584e3b7adb7ae14fc4409

C:\Windows\System\AwEBgDH.exe

MD5 d193a9dd77d8106abda5cf16cb3f13ec
SHA1 e15844500366bda194e9268af99df19ac9f1a7ae
SHA256 5de3de879c5b360128316b2c521069035a9634aca54d9c52f08ae4765693bab0
SHA512 5e3c82b6f8fb236186b10d101084d890e4858cb78bb86edc6ce40fbe7c783133991a97d79da667f0fb9cec4f1d27c769fd939444cccb06ee70597b1cadf28feb

memory/1368-42-0x00007FF73EEF0000-0x00007FF73F244000-memory.dmp

memory/2824-40-0x00007FF7ACFA0000-0x00007FF7AD2F4000-memory.dmp

C:\Windows\System\aZXQUHB.exe

MD5 0c3a4ed8d41cbbcdc02f9d32c4d7f9dd
SHA1 98d1f440329fc8f60dbfe4ea2875b407dfc81d20
SHA256 e20bd2ec8eed5411ef12eaf06ed850e623dd706b6cba45ae955ca3a2db2a015f
SHA512 0bb7cc94fcef98d1b2655305e8b88989d15ee65cdafef1207e5be6cf78917e2275c3b66398290fbc3ef6496579834e88a80bf126ef3472b3b5f21ed57d5375af

memory/2228-34-0x00007FF6D0AB0000-0x00007FF6D0E04000-memory.dmp

memory/928-26-0x00007FF75C920000-0x00007FF75CC74000-memory.dmp

memory/1236-14-0x00007FF77D980000-0x00007FF77DCD4000-memory.dmp

C:\Windows\System\BbzUVFV.exe

MD5 8833c3971a738e1d0423ebc019fa10bf
SHA1 32130decb23beea1d880a0928066ed96177e9b13
SHA256 9f829f1bbc20689cc578facb8a874fb9af5c183eb392a815c713e51a2d0fc3f5
SHA512 33c27b847b14be4ae9dfb6cce060656fa14308ca49c2236d8d36a21ba4c779614c2478ad553f635a783d9580ea7ba9e1430f5ac55d638f8657b4dde42de59f47

C:\Windows\System\PcYteHi.exe

MD5 2aaeed5ea7375ec62d5bcbcf737497e6
SHA1 7dd3ee77775b2fafaa2c2692c7549c5c5abe4406
SHA256 a1f69ee6d7e32814d94397b3fb4fc37002275942347636600216fa594119088f
SHA512 07d4e93e68cced11b491f2fbebaf6062566b187538cc1b4ee0bcb2b3cff23145584dc75ecad24f3f004bb1cd69eea9cd5b58c18dd3dd2f2bbc614e51b91aa5a9

memory/988-51-0x00007FF60A820000-0x00007FF60AB74000-memory.dmp

C:\Windows\System\baosKaz.exe

MD5 e740fd13fcc5beb486e5e18c9445b54f
SHA1 aa690345325ae5a6dea07e9b013b45d44a7dbb2a
SHA256 562a0d4a5e2a8ee07e692f8addd65379db35d1edcf5df5be70ea0befea633451
SHA512 d645986a69c71897c9c46674d0f117ad2bdc35c7706965c90cffe5c96cba1f744e3b423a2f07d102a6b85a42213dadd9c9a3303fff1b4a11716dca2b4b78bca0

C:\Windows\System\nbNDogY.exe

MD5 282acfad684ea72e3ab894e20c8343c6
SHA1 b107fc69f4099fbc63e96fc50ffb5ea7f1041aec
SHA256 5ef949f534ba893f09c9e9c846e560befa5784581bc0ba6d8114c8b254aad833
SHA512 8d9ce659a36c4a624f1442faf6747b340ff968ea8a27f5b2ef2247da2aaecb598657d153d9b2b1c8b2f6c20aa059335472efed29321fde3e6632f801776b21ec

memory/768-74-0x00007FF7348E0000-0x00007FF734C34000-memory.dmp

C:\Windows\System\VfmTyJR.exe

MD5 eeb45b12e8da0d14454851fdbab5bf4d
SHA1 ffbc480ba7f1e07d8d69859632033afe2642e18b
SHA256 d6056a1ac74ebc66b26904414fdbac9bb22891c3a0b10d70f1f2aeac777a98b2
SHA512 a44757a3a1bb025aa8230a69568bc2dd331baf886347299148ece81fccd884f4a8be81982d42f83bcdb20e78c26d59d30c017730ef18f98c7a38a338c0911632

memory/2872-95-0x00007FF6FD8C0000-0x00007FF6FDC14000-memory.dmp

memory/1732-98-0x00007FF6739A0000-0x00007FF673CF4000-memory.dmp

memory/1508-99-0x00007FF62F9A0000-0x00007FF62FCF4000-memory.dmp

C:\Windows\System\wOHyIYL.exe

MD5 79d83db6e495e5fb3f9fefb54fe892c4
SHA1 af459028ff8bb113589585da08c34723dec1ce6a
SHA256 b813b1c544094f3d211faa5f6b32b0118c37ea09ce9d1ea888afc96238d2674b
SHA512 abc1f0ee428decd09b7b40cad9bc5d17898d2b5d92c5cab7180381b086b63b56372d3a3cb81ed990ed369f2ddb6b0fbc1f43f0a19061d8d83b0b60cd96dbbbe6

C:\Windows\System\MYeVjDY.exe

MD5 cb6d552efb2248fec6ecf5f665c86e3e
SHA1 08d68f912d05edb18127ae0b87e528c9f8154fc8
SHA256 ccebc7fc5d32a9fb276d2b27b385a225bbf2152c3ae9416c56862ffb49abc0c4
SHA512 2ac09f79e71cf42fd5cf319092569820c88eaeddbe1d937a3de99e2762527981218e407ec5d6c18ba14ceb9241ea90537b094be738d9ec67048322531c325ed6

C:\Windows\System\phUQgvv.exe

MD5 07c8c687f192ed24228f52fd83c1a257
SHA1 50bc12fcc24769e5b20f52df000993ce3b13679a
SHA256 b54f8cfe3b66cc502ff8d33cfa071cfc458884bdc0fed329c1c714ee385e9d73
SHA512 34bdf10702f42da8700df2bef6cb8858abfd40166de542e971115bd46faa6fec8bae63a353e85b67ead67f4fc6efda5f455bdf5dd280b8a981d9ba62bb59d8f8

C:\Windows\System\bvndusq.exe

MD5 15655c5b57a07ebe6e4a159e1683ac3f
SHA1 8ad898f5b99be11fc0f2f23cd7f108e53ee3770b
SHA256 9ae01dd438f7b7fbd3aff8f75b8d6e1947f86efd9c5c9214c120973c82bc95b4
SHA512 a44c09d29aff9850b92752f3322ca0500dbc90b4fb3c77371df804132555af4914a97d2743fcdc8dde69fe39063f8626c07d3f430d1b38824488e2173223236e

C:\Windows\System\aTQrcNK.exe

MD5 5065783677d4eeb978e232de0672ef74
SHA1 7d2ef57d5ed4a97a47a32d8c753e3e7a0ae9563f
SHA256 b76dcae1e487030ddfbb7c7236b9ff8303dc40a01c6bd92b9bd979db5c90be83
SHA512 f88577071f469d4d5f02afd6d046a0d70605605ed1525eb3954db776ebae2e097208c9a2186a12983580318502648b1b901a70891500bfa25e4dcc7b0c3ed575

C:\Windows\System\xKmvrWa.exe

MD5 b6cdd2101ca50de46661e5a5f4c1ace7
SHA1 50ff164e55b0406ef71de223347e396a047cef5f
SHA256 03ba3f138645a31b6f883c963558920bcd3f4312c2804e78948b3692de3341e4
SHA512 4f8eedf8ddf421eaacf97c2fe5a1092d3ab843e52cb5fbef4b12e93730d2b58be5570ed71b69ce55c1e38c15bbe0af3fabafdd43dbce69772ee6707c9714b41d

memory/4492-102-0x00007FF747F30000-0x00007FF748284000-memory.dmp

memory/3056-96-0x00007FF7F0A50000-0x00007FF7F0DA4000-memory.dmp

C:\Windows\System\PbUuXKP.exe

MD5 75b47ed7ebacb17744e864b4890668a5
SHA1 bdee6570dfe1798b6ff8188ff91e3d3cea7983f9
SHA256 505b9a3bb2dae54b91f94a3f012e547be58938472accb4729bc247755799cea5
SHA512 d8421e862b1f429ac28d7bcb3b0a2f0c880633968daf51ca87af925beb635f733f35b46c86a01e17cd32603dfc6cc9aba5f0a16382a7cbecf9fd3d0249a7eba0

C:\Windows\System\KdpiYGC.exe

MD5 177ca6fb2ee579a76d4ae51fead1fae4
SHA1 c2a9dc35999d72ec53f1f8263081f3d0874835a9
SHA256 adaf1e33d7039a66d2a3f94c4145bb87d30f23288a39ab98c28451615d4aa45a
SHA512 716b796a9b80a800b77f4be9d181a325dead2877fcfaefdaa0d1c6d32a9f63b3739a2c4cd828560ecb2edfa5523b62050654e8f7a5d33d5882328bd1a298fe47

memory/1236-77-0x00007FF77D980000-0x00007FF77DCD4000-memory.dmp

memory/5044-73-0x00007FF7F87E0000-0x00007FF7F8B34000-memory.dmp

memory/3240-72-0x00007FF77FF50000-0x00007FF7802A4000-memory.dmp

memory/5084-66-0x00007FF72E520000-0x00007FF72E874000-memory.dmp

memory/4992-65-0x00007FF704450000-0x00007FF7047A4000-memory.dmp

memory/4964-61-0x00007FF743040000-0x00007FF743394000-memory.dmp

C:\Windows\System\GJgAZUi.exe

MD5 49bc02431c2a7e46ce2cbbab830c7adf
SHA1 5ada9c583bb2a0571d699f92776cbd0c9c51bd8f
SHA256 6ee5099e701e8308456f1c213859db22ec87b1cbce606f1ac7aac6c3fd568851
SHA512 9efc9c82264452a6990ebca0984155a6d3eda04cd74fea8592126150aade08f59e983ba76f61d0cb30d9494efac3165fdb948573d312a9238a2fd6c7533f3534

C:\Windows\System\oUOnFiU.exe

MD5 c10406928201ed0759e534eb85146ce0
SHA1 600e50531e606c73113667d1e29967c4e1087642
SHA256 3a2050c919924317c666f651b84475dd4b90d349ff0ac8dcfd0764c16a064efc
SHA512 04cd4db5ba25e4c0f5eec2d310a1c210c52b23d25335395d8adfd59bee2859d4d8cd49ebd08cfd8d4d61b0fb0f5c442e82c39a5b5b9ce80000f0aa9ce55480e1

memory/928-127-0x00007FF75C920000-0x00007FF75CC74000-memory.dmp

memory/1556-129-0x00007FF77F500000-0x00007FF77F854000-memory.dmp

memory/2568-132-0x00007FF745A50000-0x00007FF745DA4000-memory.dmp

memory/3324-131-0x00007FF6BFB70000-0x00007FF6BFEC4000-memory.dmp

memory/4880-130-0x00007FF739BD0000-0x00007FF739F24000-memory.dmp

memory/4616-128-0x00007FF73C270000-0x00007FF73C5C4000-memory.dmp

memory/2824-133-0x00007FF7ACFA0000-0x00007FF7AD2F4000-memory.dmp

memory/1368-134-0x00007FF73EEF0000-0x00007FF73F244000-memory.dmp

memory/3240-135-0x00007FF77FF50000-0x00007FF7802A4000-memory.dmp

memory/768-136-0x00007FF7348E0000-0x00007FF734C34000-memory.dmp

memory/4492-137-0x00007FF747F30000-0x00007FF748284000-memory.dmp

memory/5044-138-0x00007FF7F87E0000-0x00007FF7F8B34000-memory.dmp

memory/1236-139-0x00007FF77D980000-0x00007FF77DCD4000-memory.dmp

memory/2872-140-0x00007FF6FD8C0000-0x00007FF6FDC14000-memory.dmp

memory/928-141-0x00007FF75C920000-0x00007FF75CC74000-memory.dmp

memory/2228-142-0x00007FF6D0AB0000-0x00007FF6D0E04000-memory.dmp

memory/1368-144-0x00007FF73EEF0000-0x00007FF73F244000-memory.dmp

memory/2824-143-0x00007FF7ACFA0000-0x00007FF7AD2F4000-memory.dmp

memory/988-145-0x00007FF60A820000-0x00007FF60AB74000-memory.dmp

memory/4964-146-0x00007FF743040000-0x00007FF743394000-memory.dmp

memory/5084-147-0x00007FF72E520000-0x00007FF72E874000-memory.dmp

memory/3240-148-0x00007FF77FF50000-0x00007FF7802A4000-memory.dmp

memory/768-149-0x00007FF7348E0000-0x00007FF734C34000-memory.dmp

memory/3056-150-0x00007FF7F0A50000-0x00007FF7F0DA4000-memory.dmp

memory/1508-152-0x00007FF62F9A0000-0x00007FF62FCF4000-memory.dmp

memory/1732-151-0x00007FF6739A0000-0x00007FF673CF4000-memory.dmp

memory/4492-153-0x00007FF747F30000-0x00007FF748284000-memory.dmp

memory/4616-154-0x00007FF73C270000-0x00007FF73C5C4000-memory.dmp

memory/1556-155-0x00007FF77F500000-0x00007FF77F854000-memory.dmp

memory/4880-156-0x00007FF739BD0000-0x00007FF739F24000-memory.dmp

memory/3324-158-0x00007FF6BFB70000-0x00007FF6BFEC4000-memory.dmp

memory/2568-157-0x00007FF745A50000-0x00007FF745DA4000-memory.dmp